infra/kickstart
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fedora-rpi: Start chrony-wait before host certs

Browse Source 
On machines without an RTC, the clock will likely be very wrong on first
boot when system tries to obtain the initial SSH host certificates.
This results in the SSHCA server rejecting the request because the
authorization token has expired.  To avoid this, we need to ensure the
clock is set before attempting to have the certificates signed.
This commit is contained in:
Dustin
2024-12-28 12:15:06 -06:00
parent 7c050b7920
commit 6c02a4672c
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
fedora-rpi.ks
View File

@@ -26,4 +26,13 @@ uboot-images-armv8
cp -P /usr/share/uboot/rpi_arm64/u-boot.bin /boot/efi/rpi-u-boot.bin
grubby --args='quiet systemd.show_status=1' --update-kernel=ALL
systemctl enable chrony-wait
# Ensure clock is synchronized before trying to get host certs signed
mkdir -p /etc/systemd/system/ssh-host-cert-sign@.service.d
cat > /etc/systemd/system/ssh-host-cert-sign@.service.d/time-sync.conf <<EOF
[Unit]
After=time-sync.target
Wants=time-sync.target
EOF
%end